Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09-04-2023 17:52
Behavioral task
behavioral1
Sample
niga.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
niga.exe
Resource
win7-20230220-en
General
-
Target
niga.exe
-
Size
69KB
-
MD5
78cfee5877e0dc8298c063852d986fce
-
SHA1
772af76ebad5d0a9b186b88bfe248d137587ab42
-
SHA256
48d2deb6157a8365171fb07e8b41e1cb2ae6a2757f30814d8501c231484a4077
-
SHA512
c002c1d88a3dbc72190e22bb0ebf3f502a8126b43704c083f114add555707a4b0c480e0af8b4edd9a1043137f9e5c4e33a6d8dcd84de716bebc932bb38a20f85
-
SSDEEP
1536:VMHzzWTpYHzC8tIi0HchALTvbsbvA3teOWTkuLPZ9b3mrcxug0ZdRaEX1iNyaF97:VMHHWTpYHzC8t5aceLTAbvcwkWR9bPuI
Malware Config
Extracted
njrat
Platinum
HacKed
127.0.0.1:31440
win64.exe
-
reg_key
win64.exe
-
splitter
|Ghost|
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 752 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
win64.exepid process 1276 win64.exe -
Drops file in Windows directory 1 IoCs
Processes:
niga.exedescription ioc process File created C:\Windows\win64.exe niga.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
win64.exedescription pid process Token: SeDebugPrivilege 1276 win64.exe Token: 33 1276 win64.exe Token: SeIncBasePriorityPrivilege 1276 win64.exe Token: 33 1276 win64.exe Token: SeIncBasePriorityPrivilege 1276 win64.exe Token: 33 1276 win64.exe Token: SeIncBasePriorityPrivilege 1276 win64.exe Token: 33 1276 win64.exe Token: SeIncBasePriorityPrivilege 1276 win64.exe Token: 33 1276 win64.exe Token: SeIncBasePriorityPrivilege 1276 win64.exe Token: 33 1276 win64.exe Token: SeIncBasePriorityPrivilege 1276 win64.exe Token: 33 1276 win64.exe Token: SeIncBasePriorityPrivilege 1276 win64.exe Token: 33 1276 win64.exe Token: SeIncBasePriorityPrivilege 1276 win64.exe Token: 33 1276 win64.exe Token: SeIncBasePriorityPrivilege 1276 win64.exe Token: 33 1276 win64.exe Token: SeIncBasePriorityPrivilege 1276 win64.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
niga.execmd.exedescription pid process target process PID 832 wrote to memory of 1276 832 niga.exe win64.exe PID 832 wrote to memory of 1276 832 niga.exe win64.exe PID 832 wrote to memory of 1276 832 niga.exe win64.exe PID 832 wrote to memory of 1276 832 niga.exe win64.exe PID 832 wrote to memory of 752 832 niga.exe cmd.exe PID 832 wrote to memory of 752 832 niga.exe cmd.exe PID 832 wrote to memory of 752 832 niga.exe cmd.exe PID 832 wrote to memory of 752 832 niga.exe cmd.exe PID 752 wrote to memory of 1456 752 cmd.exe choice.exe PID 752 wrote to memory of 1456 752 cmd.exe choice.exe PID 752 wrote to memory of 1456 752 cmd.exe choice.exe PID 752 wrote to memory of 1456 752 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\niga.exe"C:\Users\Admin\AppData\Local\Temp\niga.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\win64.exe"C:\Windows\win64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\niga.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 53⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\win64.exeFilesize
69KB
MD578cfee5877e0dc8298c063852d986fce
SHA1772af76ebad5d0a9b186b88bfe248d137587ab42
SHA25648d2deb6157a8365171fb07e8b41e1cb2ae6a2757f30814d8501c231484a4077
SHA512c002c1d88a3dbc72190e22bb0ebf3f502a8126b43704c083f114add555707a4b0c480e0af8b4edd9a1043137f9e5c4e33a6d8dcd84de716bebc932bb38a20f85
-
C:\Windows\win64.exeFilesize
69KB
MD578cfee5877e0dc8298c063852d986fce
SHA1772af76ebad5d0a9b186b88bfe248d137587ab42
SHA25648d2deb6157a8365171fb07e8b41e1cb2ae6a2757f30814d8501c231484a4077
SHA512c002c1d88a3dbc72190e22bb0ebf3f502a8126b43704c083f114add555707a4b0c480e0af8b4edd9a1043137f9e5c4e33a6d8dcd84de716bebc932bb38a20f85
-
memory/832-54-0x00000000002A0000-0x00000000002B8000-memory.dmpFilesize
96KB
-
memory/1276-61-0x0000000000090000-0x00000000000A8000-memory.dmpFilesize
96KB
-
memory/1276-62-0x0000000004BA0000-0x0000000004BE0000-memory.dmpFilesize
256KB
-
memory/1276-63-0x0000000004BA0000-0x0000000004BE0000-memory.dmpFilesize
256KB
-
memory/1276-64-0x0000000004BA0000-0x0000000004BE0000-memory.dmpFilesize
256KB
-
memory/1276-65-0x0000000004BA0000-0x0000000004BE0000-memory.dmpFilesize
256KB
-
memory/1276-66-0x0000000001E10000-0x0000000001E1A000-memory.dmpFilesize
40KB